CVE-2019-11708HIGH
Description
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
https://security.gentoo.org/glsa/201908-12
Details
Source: MITRE
Published: 2019-07-23
Updated: 2019-08-15
Type: CWE-20
Risk Information
CVSS v2.0
Base Score: 10
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Impact Score: 10
Exploitability Score: 10
Severity: HIGH
CVSS v3.0
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score: 6
Exploitability Score: 3.9
Severity: CRITICAL
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 145685 | CentOS 8 : firefox (CESA-2019:1696) | Nessus | CentOS Local Security Checks | critical |
| 145575 | CentOS 8 : thunderbird (CESA-2019:1623) | Nessus | CentOS Local Security Checks | critical |
| 134411 | NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2020-0017) | Nessus | NewStart CGSL Local Security Checks | critical |
| 134410 | NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0022) | Nessus | NewStart CGSL Local Security Checks | critical |
| 128698 | NewStart CGSL MAIN 4.06 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0178) | Nessus | NewStart CGSL Local Security Checks | critical |
| 128691 | NewStart CGSL MAIN 4.06 : firefox Multiple Vulnerabilities (NS-SA-2019-0175) | Nessus | NewStart CGSL Local Security Checks | critical |
| 127961 | GLSA-201908-12 : Mozilla Firefox: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 127596 | Oracle Linux 8 : firefox (ELSA-2019-1696) | Nessus | Oracle Linux Local Security Checks | critical |
| 127595 | Oracle Linux 8 : thunderbird (ELSA-2019-1623) | Nessus | Oracle Linux Local Security Checks | critical |
| 127448 | NewStart CGSL CORE 5.05 / MAIN 5.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0164) | Nessus | NewStart CGSL Local Security Checks | critical |
| 127447 | NewStart CGSL CORE 5.05 / MAIN 5.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0163) | Nessus | NewStart CGSL Local Security Checks | critical |
| 127442 | NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2019-0161) | Nessus | NewStart CGSL Local Security Checks | critical |
| 127441 | NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0160) | Nessus | NewStart CGSL Local Security Checks | critical |
| 126962 | Amazon Linux 2 : thunderbird (ALAS-2019-1250) | Nessus | Amazon Linux Local Security Checks | critical |
| 126558 | RHEL 8 : firefox (RHSA-2019:1696) | Nessus | Red Hat Local Security Checks | critical |
| 126465 | Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : thunderbird vulnerabilities (USN-4045-1) | Nessus | Ubuntu Local Security Checks | critical |
| 126435 | Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20190627) | Nessus | Scientific Linux Local Security Checks | critical |
| 126434 | Scientific Linux Security Update : firefox on SL7.x x86_64 (20190626) | Nessus | Scientific Linux Local Security Checks | critical |
| 126391 | Debian DSA-4474-1 : firefox-esr - security update | Nessus | Debian Local Security Checks | critical |
| 126389 | CentOS 7 : thunderbird (CESA-2019:1626) | Nessus | CentOS Local Security Checks | critical |
| 126388 | CentOS 6 : thunderbird (CESA-2019:1624) | Nessus | CentOS Local Security Checks | critical |
| 126386 | CentOS 6 : firefox (CESA-2019:1604) | Nessus | CentOS Local Security Checks | critical |
| 126385 | CentOS 7 : firefox (CESA-2019:1603) | Nessus | CentOS Local Security Checks | critical |
| 126366 | Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20190627) | Nessus | Scientific Linux Local Security Checks | critical |
| 126321 | RHEL 7 : thunderbird (RHSA-2019:1626) | Nessus | Red Hat Local Security Checks | critical |
| 126320 | RHEL 6 : thunderbird (RHSA-2019:1624) | Nessus | Red Hat Local Security Checks | critical |
| 126319 | RHEL 8 : thunderbird (RHSA-2019:1623) | Nessus | Red Hat Local Security Checks | critical |
| 126318 | Oracle Linux 7 : thunderbird (ELSA-2019-1626) | Nessus | Oracle Linux Local Security Checks | critical |
| 126317 | Oracle Linux 6 : thunderbird (ELSA-2019-1624) | Nessus | Oracle Linux Local Security Checks | critical |
| 126303 | Scientific Linux Security Update : firefox on SL6.x i386/x86_64 (20190626) | Nessus | Scientific Linux Local Security Checks | critical |
| 126300 | Oracle Linux 6 : firefox (ELSA-2019-1604) | Nessus | Oracle Linux Local Security Checks | critical |
| 126252 | RHEL 6 : firefox (RHSA-2019:1604) | Nessus | Red Hat Local Security Checks | critical |
| 126251 | RHEL 7 : firefox (RHSA-2019:1603) | Nessus | Red Hat Local Security Checks | critical |
| 126249 | Oracle Linux 7 : firefox (ELSA-2019-1603) | Nessus | Oracle Linux Local Security Checks | critical |
| 126247 | Debian DLA-1836-1 : thunderbird security update | Nessus | Debian Local Security Checks | critical |
| 126231 | openSUSE Security Update : MozillaThunderbird (openSUSE-2019-1606) | Nessus | SuSE Local Security Checks | critical |
| 126224 | Debian DSA-4471-1 : thunderbird - security update | Nessus | Debian Local Security Checks | critical |
| 126218 | Mozilla Thunderbird < 60.7.2 | Nessus | Windows | critical |
| 126217 | Mozilla Thunderbird < 60.7.2 | Nessus | MacOS X Local Security Checks | critical |
| 126173 | SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:1684-1) | Nessus | SuSE Local Security Checks | critical |
| 126172 | SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:1682-1) | Nessus | SuSE Local Security Checks | critical |
| 126148 | openSUSE Security Update : MozillaFirefox (openSUSE-2019-1595) | Nessus | SuSE Local Security Checks | critical |
| 126147 | openSUSE Security Update : MozillaThunderbird (openSUSE-2019-1594) | Nessus | SuSE Local Security Checks | critical |
| 126137 | FreeBSD : Mozilla -- multiple vulnerabilities (49beb00f-a6e1-4a42-93df-9cb14b4c2bee) | Nessus | FreeBSD Local Security Checks | critical |
| 126136 | FreeBSD : Mozilla -- multiple vulnerabilities (39bc2294-ff32-4972-9ecb-b9f40b4ccb74) | Nessus | FreeBSD Local Security Checks | critical |
| 126133 | Fedora 30 : gjs / mozjs60 (2019-c2ff49ef73) | Nessus | Fedora Local Security Checks | critical |
| 126132 | Fedora 29 : firefox (2019-53e4772bb8) | Nessus | Fedora Local Security Checks | critical |
| 126131 | Fedora 30 : firefox (2019-1ae01e6688) | Nessus | Fedora Local Security Checks | critical |
| 126093 | Slackware 14.2 / current : mozilla-firefox (SSA:2019-172-01) | Nessus | Slackware Local Security Checks | critical |
| 126072 | Mozilla Firefox < 67.0.4 | Nessus | Windows | critical |
| 126071 | Mozilla Firefox ESR < 60.7.2 | Nessus | Windows | critical |
| 126070 | Mozilla Firefox < 67.0.4 | Nessus | MacOS X Local Security Checks | critical |
| 126069 | Mozilla Firefox ESR < 60.7.2 | Nessus | MacOS X Local Security Checks | critical |